On 4 Mar 2010, at 10:03, Ryan Steele wrote:
Damn straight it doesn't work. I end up shooting it in the face wherever I can. For some reason, SLES seems to be particularly good at breaking things, IME. Debian/Ubuntu and RHEL/CentOS seem to be more forgiving - slightly.
Anyway - I've also been hacking out a caching proxy config for our enterprise directory, so for what it's worth, this is it. It's by no means optimised - so feel free to hack it to pieces.
I've omitted the access controls and ssf constraints, since that's not going to be useful for all setups.
tls start tls_cacert=/etc/ssl/certs/cacert.org.pem tls_reqcert=demand
rootpw <secret squirrel stuff>
pcache hdb 10000 1 1000 100
pcacheAttrset 0 cn uid llnwUnixUsername uidNumber gidNumber member memberUid homeDirectory loginShell
pcacheTemplate (&(objectClass=)(llnwUnixUsername=)) 0 3600
pcacheTemplate (&(objectClass=)(cn=)) 0 3600
pcacheTemplate (&(objectClass=)(gidNumber=)) 0 3600
pcacheTemplate (objectClass=) 0 3600
pcacheTemplate (&(objectClass=)(|(member=)(memberUid=))) 0 3600
pcacheTemplate (&(objectClass=)(member=)) 0 3600
pcacheTemplate (&(objectClass=)(memberUid=)) 0 3600
pcacheBind (&(objectClass=posixAccount)(llnwUnixUsername=)) 0 1800 sub dc=llnw,dc=com
[This gets set up to listen only to the ldapi:/// URI, and nslcd.conf has a "uri ldapi:///" line in its config]
Our internal schema has uid set to <name>@llnw,com, so that won't do as a login name - we have an internal attribute llnwUnixUsername which does the same thing. You might well want to substitute uid where that exists.
And while nssov is really cute, since it exists in the same process space as slapd, it doesn't end up triggering the pcache, which does gets fired upon incoming LDAP requests from an external process (nslcd). It's probably that I just suck, and didn't configure slapd quite right, but that's why I ended up still using nslcd and slapd on the same box.
On the plus side, this works quite well for laptop configurations which have partial connectivity. Mind you, when I mentioned having enterprise credentialing on personal laptops to my colleagues, the response was ... less than enthusiastic.
Anyway - hope this helps.
Description: S/MIME cryptographic signature